This is a security and bugfix release of MediaWiki 1.12 and MediaWiki 1.13. A vulnerability has been discovered which allows arbitrary HTML injection and thus possible user account compromise. The vulnerability is only present when $wgUseSiteCss is turned on, which is the default. Versions 1.11 and earlier are NOT vulnerable, nor is development branch later than July 28, 2008.

Also, there was the potential for a subtle user error while editing $wgGroupPermissions in LocalSettings.php to cause all restrictions to be disabled. This has been rectified.

Version 1.13.2:

Security: Work around misconfiguration by requiring strict comparisons for in_array in User::isAllowed().

(bug 14944) Added $wgShellLocale for configuration of an appropriate locale to use for LC_CTYPE during shell invocation. For servers that don't have en_US.utf8. Also added locale detection during install.